Vulnerability Details : CVE-2013-0263
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2013-0263
Probability of exploitation activity in the next 30 days: 8.35%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 94 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-0263
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST |
References for CVE-2013-0263
-
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
Use secure_compare for hmac comparison · rack/rack@0cd7e9a · GitHub
-
https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
Sign in - Google Accounts
-
https://gist.github.com/codahale/f9f3781f7b54985bee94
gist:f9f3781f7b54985bee94 · GitHub
-
https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
Sign in - Google Accounts
-
https://twitter.com/coda/statuses/299732877745197056
Omelas County Chamber of Commerce on Twitter: "Rack just released a fix for CVE-2013-0263, a timing attack vulnerability I reported to them TWO AND A HALF YEARS AGO BACK WHEN IT WAS COOL."
-
https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
Google Groepen
-
https://puppet.com/security/cve/cve-2013-0263
CVE-2013-0263 | Puppet
-
https://bugzilla.redhat.com/show_bug.cgi?id=909071
909071 – (CVE-2013-0263) CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
-
http://rack.github.com/
Rack: a Ruby Webserver InterfaceVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2013-0686.html
RHSA-2013:0686 - Security Advisory - Red Hat Customer Portal
-
https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
Sign in - Google Accounts
-
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
Add secure_compare to Rack::Utils · rack/rack@9a81b96 · GitHub
-
https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
Sign in - Google Accounts
-
http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
openSUSE-SU-2013:0462-1: moderate: RubyOnRails: security version update
-
http://www.debian.org/security/2013/dsa-2783
Debian -- Security Information -- DSA-2783-1 librack-ruby
Products affected by CVE-2013-0263
- cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.1.6:*:*:*:*:*:*:*